lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <53848920.9070009@apache.org>
Date: Tue, 27 May 2014 13:46:24 +0100
From: Mark Thomas <markt@...che.org>
To: Tomcat Users List <users@...cat.apache.org>
CC: Tomcat Developers List <dev@...cat.apache.org>, announce@...che.org,
  announce@...cat.apache.org, fulldisclosure@...lists.org,
  bugtraq@...urityfocus.com
Subject: [SECURITY] CVE-2014-0095 Apache Tomcat denial of service

CVE-2014-0095 Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Tomcat 8.0.0-RC2 to 8.0.3

Description:
A regression was introduced in  revision 1519838 that caused AJP
requests to hang if an explicit content length of zero was set on the
request. The hanging request consumed a request processing thread which
could lead to a denial of service.

Mitigation:
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 8.0.5 or later
  (8.0.4 contains the fix but was not released)

Credit:
This issue was reported as a possible bug via the Tomcat users mailing
list and the security implications were identified by theTomcat security
team.

References:
[1] http://tomcat.apache.org/security-8.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ